Prospective EESP use scenarios and solutions · 2019-10-02 · EVIDENCE2e-Codex project Florence,...

Prospective EESP

use scenarios and solutions

Florence

25th September 2019

Mattia Epifani / CNR-IGSG

• Preparing the floor for the electronic exchange of electronic

evidence in all the EU MS in the specific scenario of

the European Investigation Order (EIO) and Mutual Legal

Assistance (MLA) procedures

• Initiating the harmonization of the legal and technological

frameworks and the stakeholder awareness on the treatment

and the exchange of electronic evidence in the EIO and

MLA procedures

• Implementing a ‘true to life’ example of successfully linking

the EVIDENCE Project to e-CODEX Project’s results in support of an EIO case

EVIDENCE2e-CODEX Project

EVIDENCE2e-Codex project Florence, 25th September 2019

EVIDENCE2e-Codex project Florence, 25th September 2019

E2E project: how can the goal be accomplished?

EVIDENCE2e-Codex project Florence, 25th September 2019

What is missing from this scenario?

• Message, with the EP attached, will travel

through the R.I. and over e-Codex

• The EP could be exchanged as a simple

attachment

• It is essential to use a standard to represent

the EP (data and meta data)

• UCO/CASE language

Standard representation for the EP

EVIDENCE2e-Codex project Florence, 25th September 2019

CASE is a community-developed standard to

support:

• reporting of digital traces

• exchanging of digital traces

• tool validation

www.caseontology.org

Cyber-investigation

Analysis Standard Expression

EVIDENCE2e-Codex project Florence, 25th September 2019

www.caseontology.org

EVIDENCE2e-Codex project Florence, 25th September 2019

EVIDENCE2e-Codex project Florence, 25th September 2019

What does the Evidence Package

contain?

People

InvestigativeAction

Process /Lifecycle

Trace

Relationship

Instrument

Role

Martin Rohde - Forensic ExpertSaga Norén - Police OfficerMagnus Krepper - SuspectMaria Kulle - Judge

Search and seizureForensic Acquisition, Forensic Extraction– Date/Time- Who, What, When

- Input and OutputLegal authorization –

Search warrant /Forensic Tool - Plaso

Chain of Custody

Chain of Evidence

Mobile Device, Disk

File, Message, PhoneAccount,

EmailAccount

Sources of evidence

EVIDENCE2e-Codex project Florence, 25th September 2019

•Computer

•Smartphone

•Media (USB)

•Server

•CCTV

•IoT

•Cloud Infrastructure

Device

•Subscriber Information

•Traffic Data

•Content Data

ISP/CSP

•Voice traffic

•Network traffic

•State Trojan

Interception

• Country A requests a search and seizure of digital devices

• Country B performs the search and seizure of a smartphone

SCENARIO ATransfer of source of evidence

SCENARIO BTransfer of acquired data (forensic image/extraction)

SCENARIO CTransfer of processed/extract data

• Ex. Call Logs, SMS, WhatsApp, Images, etc.

Devices

EVIDENCE2e-Codex project Florence, 25th September 2019

EVIDENCE2e-Codex project Florence, 25th September 2019

EIO – Timeline in the Evidence Exchange Context

• Search and Seizure

• Case preparation (Select methods and

tools)

• Forensic Acquisition (Imaging)

• Forensic Extraction (Data processing)

• Tools comparison

Actions

EVIDENCE2e-Codex project Florence, 25th September 2019

• Application useful to generate UCO / CASE

languange object

• It can be used by

• LE / JA to describe non-technical actions

• FL to describe technical actions

• For example a «Search and Seizure» action

• Authorization (JA)

• Performer (LE)

• Location

• Result

Tool: UCO / CASE Generator

EVIDENCE2e-Codex project Florence, 25th September 2019

Search and Seizure

EVIDENCE2e-Codex project Florence, 25th September 2019

manufacturer SamsungModel SM-G900FIMEI 356765064657669Serial Number FDG764192Storage capacity 64 GBClock setting 2018-05-31 6:00Mobile account +393319420019Item number ITEM_00001

Carrier Telecom ItaliaSimType SIMSIMForm Micro SIMICCID 89390100001847875453IMSI 222014603559590Phone Number 393319420019PIN 7571PUK 86245177

Search and Seizure

EVIDENCE2e-Codex project Florence, 25th September 2019

Search and Seizure

EVIDENCE2e-Codex project Florence, 25th September 2019

• Digital forensics Tools Catalogue

• About 1500 tools mapped

• Acquisition and Analysis tools

• Tools categorized based on• Features (Computer/Mobile/Network)

• License type (Free/Commercial/Only LE)

• Platform (Windows/Linux/MacOS)

Tool: Digital Forensics Tools Catalogue

EVIDENCE2e-Codex project Florence, 25th September 2019

EVIDENCE2e-Codex project Florence, 25th September 2019

Tool: Digital Forensics Tools Catalogue

EVIDENCE2e-Codex project Florence, 25th September 2019

Tool: Digital Forensics Tools Catalogue

https://www.dftoolscatalogue.eu/

EVIDENCE2e-Codex project Florence, 25th September 2019

https://www.dftoolscatalogue.eu/

EVIDENCE2e-Codex project Florence, 25th September 2019

https://www.dftoolscatalogue.eu/

EVIDENCE2e-Codex project Florence, 25th September 2019

Forensic Acquisition

EVIDENCE2e-Codex project Florence, 25th September 2019

Forensic Acquisition

EVIDENCE2e-Codex project Florence, 25th September 2019

Forensic Acquisition

Forensic Acquisition

Data processing and extraction

EVIDENCE2e-Codex project Florence, 25th September 2019

SMS Messages

EVIDENCE2e-Codex project Florence, 25th September 2019

NOT deleted SMS Messages

CELLEBRITE UFED PA

EVIDENCE2e-Codex project Florence, 25th September 2019

NOT deleted SMS Messages

MAGNET AXIOM

EVIDENCE2e-Codex project Florence, 25th September 2019

Exporting data from different tools

EVIDENCE2e-Codex project Florence, 25th September 2019

Comparing reports

EVIDENCE2e-Codex project Florence, 25th September 2019

• Intermediate software layer developed to convert

the output of a forensic tool in UCO/CASE standard

• As a PoC it supports

• XML report generated by Cellebrite UFED

• XML report generated by Magnet Axiom (WIP)

• XML Logicube Falcon hardware duplicator

Tool: UCO / CASE Converter

EVIDENCE2e-Codex project Florence, 25th September 2019

EVIDENCE2e-Codex project Florence, 25th September 2019

• Support the development of UCO / CASE

language in forensic tools

• Develop tools to map/convert the output

produced by different tools in UCO / CASE

• Work with software developers and cloud

providers to facilitate the native adoption of UCO /

CASE language

The future…

EVIDENCE2e-Codex project Florence, 25th September 2019

Conversion and parsing tools

EVIDENCE2e-Codex project Florence, 25th September 2019

Obtaining Cloud Provider datahttps://www.facebook.com/records/login/

EVIDENCE2e-Codex project Florence, 25th September 2019

Obtaining Cloud Provider data

EVIDENCE2e-Codex project Florence, 25th September 2019

Analyzing Cloud Provider data

EVIDENCE2e-Codex project Florence, 25th September 2019

Obtaining Cloud Provider datahttps://legalrequests.twitter.com/

EVIDENCE2e-Codex project Florence, 25th September 2019

Analyzing Cloud Provider data

EVIDENCE2e-Codex project Florence, 25th September 2019

Analyzing Cloud Provider data…

EVIDENCE2e-Codex project Florence, 25th September 2019

Conversion and parsing

Cloud Provider data

EVIDENCE2e-Codex project Florence, 25th September 2019

EVIDENCE2e-Codex project Florence, 25th September 2019

Thanks for your attention

Questions?

Mattia Epifani / CNR-IGSG

mattia.epifani@igsg.cnr.it